POST-QUANTUM

Built for the cryptography after this one.

Long-lived records are already signed with a hybrid of Ed25519 and ML-DSA-65 (FIPS 204). When standards move, signing rotates forward — old proofs stay verifiable, weaker schemes stay banned.

Ed25519 ‖ ML-DSA-65LiveML-KEM transportPlanned
Live
Running in canary or production now.
In build
Code in progress — status tracked in the build plan.
Planned
Design locked, not yet started.
THREAT MODEL

What a quantum computer breaks — and what it does not.

The quantum threat is specific, not apocalyptic. Shor's algorithm attacks the public-key signatures that prove identity; Grover's only halves the effective strength of a hash. So the honest picture is narrow: signatures need to move first, hashes mostly do not.

01 · Signatures (Shor)

Public-key signatures are the exposure.

A large enough quantum computer would break classical public-key signatures like Ed25519 via Shor's algorithm. That is why long-lived records that prove history — the audit chain, the asset-ledger — are the part that must move to post-quantum schemes first.

Mechanism: Shor breaks classical public-key — hybrid signatures hedge it.

02 · Hashes (Grover)

Hashes lose half their strength, not all of it.

Grover's algorithm gives only a quadratic speed-up against a hash, halving its effective bits. BLAKE3 keeps a roughly 128-bit post-quantum security margin, so the integrity layer stays sound without a redesign.

Mechanism: Grover halves hash strength — BLAKE3 stays ~128-bit PQ.

03 · The honest window

Harvest-now-decrypt-later, stated plainly.

No quantum computer can steal funds today. The real risk is harvest-now-decrypt-later: data captured now and decrypted once the hardware exists. It only matters for things that must stay secret or verifiable for many years — which is exactly why long-lived records are moved early rather than left waiting.

Mechanism: long-lived records hardened early — the risk window is owned, not denied.

WHAT IS ALREADY POST-QUANTUMHybrid asset-ledger signatureLive

Already signing post-quantum, today.

This is not a roadmap promise. Integrity already rides on BLAKE3, and the marketplace asset-ledger is already signed with a hybrid of a classical and a lattice scheme — so a forgery would have to break both at once.

BLAKE3 integrityLiveHybrid asset-ledger signatureLive

Asset-ledger signature

Classical · EdDSAEd25519Battle-tested public-key signature — the proof that holds today.
Lattice · FIPS 204ML-DSA-65Standardised post-quantum signature — the proof that holds after Shor.

A forgery must break BOTH Ed25519 and ML-DSA-65 — classical and post-quantum safety stack, they do not substitute.

CRYPTO-AGILITY

Strengthen the scheme without losing the past.

Every signature is wrapped in a self-describing envelope. The scheme can be upgraded without breaking the verifiability of older proofs — and a verifier can never be talked down to a weaker scheme.

Signature envelope

{ algo_id, key_id, sig }
algo_id
Names the scheme used, so a verifier knows exactly how to check the signature.
key_id
Identifies the signing key, so keys can rotate without ambiguity.
sig
The signature bytes themselves, over the record being proved.

Rotate forward, verify backward.

When a standard moves, new records are signed under a stronger algo_id while older proofs stay verifiable under the scheme they were made with. Nothing has to be re-signed to keep the history checkable.

No downgrade, ever.

Each collection's genesis page pins the minimum acceptable scheme. A verifier cannot be persuaded to accept anything weaker, so an attacker cannot negotiate the system down to a broken algorithm.

PLANNEDML-KEM transportPlanned

What crypto-agility is queued to absorb next.

The envelope is built precisely so these can land without disrupting what already verifies. Both are design-locked and labelled Planned.

ML-KEM hybrid transport.

A hybrid key-establishment for the transport layer (classical ‖ ML-KEM), so session keys gain post-quantum protection against harvest-now-decrypt-later capture. Planned.

PQC for custody key-shares at rest.

Post-quantum protection for the threshold custody key-shares while they are at rest, extending the same hardening to the material behind withdrawals. Planned.

DETAILS

Questions, answered straight.

What the quantum threat actually means for your funds — without the hype, and without pretending the risk is zero.

Can a quantum computer steal funds today?

No. No quantum computer exists that can break the signatures protecting funds, and withdrawals are also gated by threshold custody, step-up, and whitelists. The honest concern is harvest-now-decrypt-later — data captured today and attacked later — which only matters for records that must stay secret or verifiable for years. That is exactly why long-lived ledger records are already on hybrid post-quantum signatures.

What is ML-DSA-65?

ML-DSA is the Module-Lattice Digital Signature Algorithm standardised by NIST as FIPS 204 (derived from CRYSTALS-Dilithium). The "-65" is its parameter set, a middle security level. It is a post-quantum signature scheme — its security rests on lattice problems believed to resist both classical and quantum attacks — and Inanomo uses it as the post-quantum half of the asset-ledger's hybrid signature.

Why hybrid instead of pure post-quantum?

Because hedging beats betting. A hybrid signs with both a classical scheme (Ed25519, decades of scrutiny) and a post-quantum one (ML-DSA-65), so a forgery has to break both at once. If a weakness were ever found in the newer lattice scheme, the classical half still holds — and vice versa once quantum hardware arrives. Pure post-quantum would stake everything on the youngest scheme alone.

What stays safe even if Ed25519 falls?

Two things. The integrity layer — the BLAKE3 hash chain — keeps a roughly 128-bit post-quantum margin, because Grover only halves a hash's strength rather than breaking it. And the asset-ledger signatures stay sound because the ML-DSA-65 half of the hybrid is independent of Ed25519: breaking the classical half alone does not forge a hybrid signature.

KEEP READING

The hybrid signatures live in the marketplace's verifiable ledger; custody holds the keys those records protect, and transparency lets you check the chain for yourself.

High-risk derivatives. Trading perpetuals can result in loss exceeding initial margin. Not for residents of restricted jurisdictions (non-US · non-UK).
Full risk disclosure →